Use Business Units, Security Roles and Teams to define the business structure. Initially, CRM contains a root Business Unit with default Security Roles.
The security model in CRM provides access to records and features of the application. This affects the UI; users only see what they can access.
Business Units (BU): Hierarchy containing groups of Users and Teams; helps filter records; usually not the same structure as the company’s org chart; can represent subsidiaries, divisions departments, responsibilities, etc.; BU's (except the root BU) can be moved (re-parented), disabled (records not lost) and deleted.
Root Business Unit: Can change its name; Cannot delete or disable. Cannot move to have a parent; cannot have a parent.
Security Roles: CRM uses Security Roles to define privileges that are assigned to a User or Team; CRM provides 15 default roles; they belong to Business Units; auto-copied down BU hierarchy; name dupes allowed down hierarchy; recommendation is to copy default roles and then use those copies (keep originals); copied roles go to the same BU only; system administrator role has access to everything except user views, charts and UI settings; you can copy the sys admin role; roles are additive (highest access level applies); cannot be moved to other BU’s; when moving user or team to different BU, all security roles are removed for that user/team
Privileges: Define actions user can perform; privileges include Create, Read, Write, Delete, Append, Append To, Assign, Share
Access Levels: describe where the owner of the record must be located in the BU hierarchy in relation to the User who tries the action for the action to be permitted; levels include None, User, Business Unit, Parent:Child Business Unit, Organization
Teams: groups users from one or more Business Units; can assign security roles to teams;
Effect of Security Roles and Field Security
In Microsoft Dynamics CRM, security applies at the following levels:
Entity: Security is managed through Security Roles.
Record: Security is enabled by sharing specific records and allocating share permissions.
Field: Security is controlled by using Field Security Profiles.
The access that a user has to a field on a specific record is the result of the interaction of all three security types.
Overview
Effect of Security Roles and Field Security
In Microsoft Dynamics CRM, security applies at the following levels:The access that a user has to a field on a specific record is the result of the interaction of all three security types.
Links
How role-based security can be used to control access to entities in Microsoft Dynamics CRMSecurity Roles and Teams in CRM 2011
Append vs. Append To permissions
Example of Security Roles for the Salesperson role
How Security Roles Roll-up